Is there a SELinux tutorial for ISVs ?

[Daniel J Walsh]

This string of messages brings up something I wanted to get a 
conversation going on how to handle non OS Provided policy.

We all know we need a better mechanism for handling "binary" policy in 
the future.  ( I think the future is now.)
I see three people providing policy.

1. OS Provider with base policy.  (It would also be nice if the base 
policy got broken into several policies and only the policy
of the running service would be loaded.  If we got to this state we 
would need a new mechanism for restoring file context since
file_context might not meet the currently loaded policy. 

2. Third Party application developers.  As the use of targeted policy 
has begun to take off, Third Party ISV have started to question
how they can play in this world.

I see Tresys Stuff solving the problems of both of the above.

3 Local User customization and minor policies.  Currently we have people 
using audit2allow creating files in domains/misc and then
reloading policy.   We need a mechanism for users to be able to do this 
without recompiling policy.    Also more significantly how
do we handle the small diffed apache_domain stuff.  A couple of months 
ago I redesigned apache policy to have a macro called
apache_domain.  A user could create a new apache_XYZ.te file with

apache_domain(XYZ)
Followed by a few allow rules and be able to get their cgi scripts 
working without turning off apache protection or running their script in
httpd_unconfined_script_t.

The problem is the only way to do this is to install policy sources and 
muck around.    I think we to have some shared library mechanism
where a few well known macros could be defined and users could easily 
build their own custom policy.


Anyways I think we need more discussion on handling third party and user 
customization of policy outside of the current make tree stuff.

Dan

Dan

--